Our servers are not vulnerable to the “Heartbleed” SSL security bug

Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.

Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.

Technical details

At the time the bug was disclosed, we were using Debian Linux openssl version “0.9.8o-4squeeze14”, which was not vulnerable.

After the bug was disclosed, we upgraded to a newer version of the openssl library for unrelated reasons and began using version “1.0.1e-2+deb7u7”, which is also not vulnerable according to the Debian page about this bug: “For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5 [and later]”.

Note that the fix is in the form of a Debian security backport. This leaves the base version number as “1.0.1e”, with the extra “-2+deb7u7” indicating the patched version. This can be confusing if you simply check the base version (one of our customers saw “1.0.1e” in the output of the “ssh -v” command, for example, and thought this meant it was vulnerable).

We don’t know whether that uses the OpenSSL library, but it wouldn’t matter even if it does, from the perspective of our end. Since we’ve never had a vulnerable version of the OpenSSL library present on any of our servers at any time, there’s no way for anyone to have ever used this bug to retrieve any information from any of our servers.

If you’re using software on your computer that uses its own private copy of the vulnerable OpenSSL library, but that software doesn’t run as a “server” on your computer, that’s not a problem either. The problem only happens when server software — software that listens for incoming connections from “strangers”, like an SSL Web server — uses the vulnerable version of the OpenSSL library.

So even if your Total Commander software uses a vulnerable version of OpenSSL on your own computer, it would only be a risk if strangers are also allowed to make incoming SSL connections to Total Commander running on your computer, which almost certainly isn’t the case.

on Thursday, April 10, 2014 at 12:56 pm (Pacific) Russ wrote:

Another example of why Tiger Tech is flat out the best hosting company on the planet!